Allow Athena query to S3 bucket

I have this bucket policy and it works correctly. The only problem is that it does not allow athena query. How do I modify this to all athena?

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::13cols/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "18.72.1.2/32",
                        "11.119.2.8/32",
                        "12.939.49.346/32",
                        "4.26.2.219/32"
                    ]
                }
            }
        }
    ]
}

I am aware of this link...

https://docs.aws.amazon.com/athena/latest/ug/managed-policies.html

But not sure how to merge it with current policy.


Solution 1:

You have a bucket policy, which is scoped to the bucket, and applies to any user or role that tries to make operations on that bucket. The link you refer to is about user and role policies, which apply to specific users only. When a user or role makes operations on a bucket the combination of their policies and the bucket policy is what governs what they are allowed to do.

The combination of the user or role policy with the bucket policy is not a union, but more like an intersection. What I mean by that is that if the user or role policy does not grant say s3:GetObject, it does not matter that the bucket policy grants that action. Both the user or role policy and the bucket policy must grant it. It's actually even more complicated when you take principals into account – but your bucket policy applies to everyone, so that is not the case here.

You say your policy works, but does not allow queries from Athena. That is true, since it's a bucket policy it does not grant any user or role anything, it just specifies what a user or role would be allowed to do, if they were otherwise allowed to access the bucket. Further, your policy just denies things. Explicitly denying does not mean allowing everything else, it just means that even if something else allows the things mentioned in your policy, your policy will overrule that (in this case: even if a user or role policy allowed s3:GetObject your policy would deny that action if the source IP matched one of the mentioned – which is your intention, I presume).

The user or role you use to run the Athena query must have permission to

  1. run queries in Athena,
  2. access the catalog objects (i.e. databases and tables) in Glue
  3. access to an S3 bucket where query results can be stored, and
  4. access to the S3 bucket and objects that need to be read to run the query.

The managed policies you link to will help with 1-3, but you have to write 4. When a query is executed IAM will evaluate 1-4 plus the bucket policy, to see if the user or role is allowed to run the query.

Solution 2:

Athena does not support restricting or allowing access to Amazon S3 resources based on the aws:SourceIp condition key.

Per AWS Athena documentation here: https://docs.aws.amazon.com/athena/latest/ug/s3-permissions.html

Solution 3:

That is correct. Your bucket policy says: If the incoming request is not coming from one of these IP addresses, then do not let anyone do anything to this S3 bucket.

So, even if an Athena query is being run by somebody who is allowed to access the bucket, the above policy is blocking them because Athena is not coming in on one of those IP addresses.

To avoid this, you should find whatever policies are granting people access and put the IP address restriction on those policies, so that they say "Allow these people to access the bucket but only if they are coming from one of these IP addresses". That way, it is a purely an Allow policy, rather than Allow and Deny.

Then, Allow bucket access to the user who is running the Athena queries, but do not restrict them by IP address (since Athena requests will not come from your IP address range).

Solution 4:

I think you could add a new condition to allow requests coming from Athena, as shown below.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::13cols/*",
            "Condition": {
                "ForAnyValue:StringEquals": { 
                   "aws:CalledVia": "athena.amazonaws.com"
                }
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "18.72.1.2/32",
                        "11.119.2.8/32",
                        "12.939.49.346/32",
                        "4.26.2.219/32"
                    ]
                }
            }
        }
    ]
}

My comment is based on the following documentation: https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena-calledvia.html https://docs.aws.amazon.com/athena/latest/ug/s3-permissions.html